← Back to context

Comment by ykonstant

2 months ago

I need to check the rust parts of the kernel, I presume there is significant amounts of unsafe. Is unsafe Rust a bit better nowadays? I remember a couple of years ago people complained that unsafe is really hard to write and very "un-ergonomic".

17 comments

ykonstant

Reply
jenadine  2 months ago

The idea is that most of the unsafe code to interact with the C API of the kernel is abstracted in the kernel crate, and the drivers themselves should use very little amount of unsafe code, if any.

IshKebab  2 months ago

I don't think unsafe Rust has gotten any easier to write, but I'd also be surprised if there was much unsafe except in the low-level stuff (hard to write Vec without unsafe), and to interface with C which is actually not hard to write.

Mostly Rust has been used for drivers so far. Here's the first Rust driver I found:

https://github.com/torvalds/linux/blob/2137cb863b80187103151...

It has one trivial use of `unsafe` - to support Send & Sync for a type - and that is apparently temporary. Everything else uses safe APIs.

  • johncolanduoni  2 months ago

    Drivers are interesting from a safety perspective, because on systems without an IOMMU sending the wrong command to devices can potentially overwrite most of RAM. For example, if the safe wrappers let you write arbitrary data to a PCIe network card’s registers you could retarget a receive queue to the middle of a kernel memory page.

    • josephg  2 months ago

      > if the safe wrappers let you write arbitrary data to a PCIe network card’s registers

      Functions like that can and should be marked unsafe in rust. The unsafe keyword in rust is used both to say “I want this block to have access to unsafe rust’s power” and to mark a function as being only callable from an unsafe context. This sounds like a perfect use for the latter.

      8 replies →

    • umanwizard  2 months ago

      In normal user-mode rust, not running inside the kernel at all, you can open /dev/mem and write whatever you want to any process's memory (assuming you are root). This does not require "unsafe" at all.

      Another thing you can do from rust without "unsafe": output some buggy source code that invokes UB in a language like C to a file, then shell out to the compiler to compile that file and run it.

      2 replies →

jdub  2 months ago 

    unsafe {
        // this is normal Rust code, you can write as much of it as you like!
        // (and you can bend some crucial safety rules)
        // but try to limit and document what you put inside an unsafe block.
        // then wrap it in a safe interface so no one has to look at it again
    }

Cthulhu_  2 months ago

Wouldn't that be by design? If it isn't pleasant, people will avoid using it if they can.

(but as others pointed out, unsafe should only be used at the 'edges', the vast majority should never need to use unsafe)